Kofi Anash 
Popular news aggregator platform Flipboard has disclosed that its databases containing account information of certain users have been hacked. The data that was potentially downloaded several times over a nine-month period ending on April 22 included user credentials, the Palo Alto, California-based company revealed in an email sent to all Flipboard users. A security incident notice has also been published on the Flipboard website to reveal the details of the data breach. The total number of affected users is uncertain. However, as a precautionary measure, the company has reset passwords of all its about 150 million users, including the passwords that were cryptographically protected.
In a notification posted to its website, Flipboard says:
We recently identified unauthorized access to some of our databases containing certain Flipboard users’ account information, including account credentials. In response to this discovery, we immediately launched an investigation and an external security firm was engaged to assist. Findings from the investigation indicate an unauthorized person accessed and potentially obtained copies of certain databases containing Flipboard user information between June 2, 2018 and March 23, 2019 and April 21 – 22, 2019.
The company explains that the hackers were able to access “some of our users’ account information, including name, Flipboard username, cryptographically protected password and email address”.
But this is not the end of the story:
Additionally, if users connected their Flipboard account to a third-party account, including social media accounts, then the databases may have contained digital tokens used to connect their Flipboard account to that third-party account. We have not found any evidence the unauthorized person accessed third-party account(s) connected to users’ Flipboard accounts. As a precaution, we have replaced or deleted all digital tokens.
Flipboard says that while not all user accounts were affected by the breach, it is resetting passwords for everyone. Digital tokens used to connect to third-party services have also been disconnected, replaced or deleted as appropriate.
The company has noticed law enforcement about the incident and involved an external security firm to investigate the flaw.
